Method and apparatus for establishing a dynamic multipoint encrypted virtual private network

US 7,447,901 B1
Filed: 09/18/2002
Issued: 11/04/2008
Est. Priority Date: 06/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method for dynamically establishing a secure virtual private network, the method comprising the computer-implemented steps of:

associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a spoke router;

sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution request specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router;

in response to sending said address resolution request, receiving input that indicates an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address;

wherein the routers comprise routers in a communication network;

in response to the receiving said input that indicates said association, issuing, to a security protocol module at the first network device, a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device;

receiving said message at said security protocol module at said first network device;

in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message;

wherein the encryption state information includes one or more of;

routable network address information,encapsulation protocol information, orsecurity policy information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process is disclosed in which a security policy is associated with a virtual private network (VPN) interface at a first device, for example, a router. Input is received specifying an association of a VPN endpoint address to a corresponding routable network address of a second device. A message is issued to a security module at the first device, the message including the routable network address of the second device and the security policy. Encryption state information is generated for network traffic from the first device to the second device, based on the message. The process is applicable to a hub-and-spoke network architecture that utilizes a point-to-multipoint GRE tunnel and the IPsec protocol for security. The process is dynamic in that the encryption state is generated for traffic over a VPN link, in response to notification of a virtual address-to-real address mapping, i.e., the association. In an embodiment, the association is an NHRP mapping.

118 Citations

View as Search Results

26 Claims

1. A method for dynamically establishing a secure virtual private network, the method comprising the computer-implemented steps of:
- associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a spoke router;
  
  sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution request specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router;
  
  in response to sending said address resolution request, receiving input that indicates an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address;
  
  wherein the routers comprise routers in a communication network;
  
  in response to the receiving said input that indicates said association, issuing, to a security protocol module at the first network device, a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device;
  
  receiving said message at said security protocol module at said first network device;
  
  in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message;
  
  wherein the encryption state information includes one or more of;
  
  routable network address information,encapsulation protocol information, orsecurity policy information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising the step of:
    - transmitting encrypted packets from the first network device to the second network device, based on the encryption state information.
  - 3. The method of claim 1, wherein the step of receiving includes receiving input from a third network device configured as a hub router and as a next-hop server.
  - 4. The method of claim 1, wherein the security protocol is IPsec and wherein the step of issuing a message to a security protocol module is based on the IPsec security protocol.
  - 5. The method of claim 1, further comprising the step of:
    - initiating a key exchange between the first and second network devices which generates pairwise encryption/decryption keys for the first and second network devices.
  - 6. The method of claim 5, further comprising the step of:
    - storing a security association associated with the first and second network devices that includes the pairwise encryption/decryption keys.
  - 7. The method of claim 1, wherein the virtual private network is configured as a point-to-multipoint virtual private network, and wherein the steps of associating, receiving, issuing and generating are based on the point-to-multipoint virtual private network.

8. A method for dynamically establishing a secure multipoint virtual private network, the method comprising the computer-implemented steps of:
- configuring a virtual private network interface on a first router by executing one or more configuration commands associated with the first router, wherein the first router comprises a spoke router;
  
  sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first router and requests an address resolution for a second router, wherein the address resolution request specifies a virtual private network endpoint address of the second router, and wherein the second router comprises a second spoke router;
  
  in response to sending said address resolution request, receiving at the virtual private network interface input that indicates a n association of said virtual private network endpoint address and a corresponding routable network address of said second router, based on one or more configuration commands associated with the first router, wherein said routable network address of the second router is a dynamically assigned network address;
  
  wherein the routers comprise routers in a communication network;
  
  in response to the receiving said input that indicates said association, receiving at a security protocol module at the first router a message that includes the routable network address of the second router and a network security policy associated with the virtual private network interface at the first router; and
  
  in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first router to the second router, based on the message;
  
  wherein the encryption state information includes one or more of;
  
  information relating to the routable network address,encapsulation protocol information, orthe security policy information.
- View Dependent Claims (9, 10)
- - 9. The method of claim 8, wherein the step of receiving an association includes receiving a next hop resolution protocol association.
  - 10. The method of claim 9, wherein the step of receiving an association further comprises receiving a dynamic association associated with the second router as the second spoke router.

11. An apparatus for dynamically establishing a secure multipoint virtual private network, comprising:
- a virtual private network interface,configured in association with a first routable network address that relates to a first router, andconfigured to access encryption policy information associated with traffic transmitted from the virtual private network interface;
  
  an address resolution module communicatively coupled to the virtual private network interface and an encryption module, the address resolution module,configured to send an address resolution request to an address resolution server, wherein the address resolution request is sent by the first router and requests an address resolution for a second router, wherein the address resolution request specifies a virtual private network endpoint address of the second router, and wherein the second router comprises a second spoke router, andconfigured to receive, in response to sending said address resolution request, input that indicates an association of said virtual private network endpoint address to a corresponding second routable network address of said second router, wherein the second routable network address is a dynamically assigned network address, andconfigured to issue to said encryption module, in response to receiving said input that indicates said association, a message that includes the second routable network address of the second network device and the encryption policy information associated with traffic transmitted from the virtual private network interface;
  
  said encryption module communicatively coupled to the address resolution module, the encryption module,configured to receive said message from said address resolution module,configured to establish, in response to receiving the message, a security association related to network traffic transmitted from the first routable network address to the second routable network address,configured to encrypt network traffic according to the encryption policy information, wherein the security association references the encryption policy information and a secret key for encrypting and decrypting traffic transmitted between the first routable network address and the second routable network address, andconfigured to generate, in response to receiving said message, encryption state information for encrypting and transmitting the network traffic from the first routable network address to the second routable network address, based on the message;
  
  wherein the encryption state information includes one or more of;
  
  routable network address information,encapsulation protocol information, orsecurity policy information;
  
  wherein the routers comprise routers in a communication network;
  
  an Internet key exchange module configured to negotiate an exchange of the secret key between the encryption module and a second encryption module configured on a device associated with the second routable network address.
- View Dependent Claims (12, 22, 23, 24, 25, 26)
- - 12. The apparatus of claim 11, wherein the encryption module uses IPsec protocol to encrypt network traffic from the first routable network address to the second routable network address.
  - 22. The apparatus as recited in claim 11 wherein one or more encrypted packets are transmitted from the first network device to the second network device, based on the encryption state information.
  - 23. The apparatus as recited in claim 11 wherein the security protocol comprises IPsec and wherein the step of issuing a message to a security protocol module is based on the IPsec security protocol.
  - 24. The apparatus as recited in claim 11 wherein a key exchange is initiated between the first and second network devices which generates pairwise encryption/decryption keys for the first and second network devices.
  - 25. The apparatus as recited in claim 11 further comprising:
    - a storage for storing a security association associated with the first and second network devices that include the pairwise encryption/decryption keys.
  - 26. The apparatus as recited in claim 11 wherein the virtual private network is configured as a point-to-multipoint virtual private network, and wherein the associating, receiving, issuing and generating functions are based on the point-to-multipoint virtual private network.

13. A computer-readable medium storing one or more sequences of instructions for dynamically establishing a secure virtual private network, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a first spoke router;
  
  sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution request specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router;
  
  in response to sending said address resolution request, receiving input specifying that an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address wherein the second network device comprises a second spoke router;
  
  wherein the routers comprise routers in a communication network;
  
  in response to the receiving said input that indicates said association, issuing to a security protocol module at the first network device a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device;
  
  receiving said message at said security protocol module at said first network device;
  
  in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message;
  
  wherein the encryption state information includes one or more of;
  
  routable network address information,encapsulation protocol information, orsecurity policy information.

14. An apparatus for dynamically establishing a secure virtual private network, comprising:
- means for associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a first spoke router;
  
  means for sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution requests specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router;
  
  means for receiving, in response to sending said address resolution request, input that indicates an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address;
  
  wherein the routers comprises routers in a communication network;
  
  means for issuing, in response to receiving said input that indicates said association, to a security protocol module at the first network device, a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device;
  
  means for receiving said message at said security protocol module at said first network device;
  
  means for generating, in response to receiving said message at said security protocol module, encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message;
  
  wherein the encryption state information includes one or more of;
  
  routable network address information,encapsulation protocol information, orsecurity policy information.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The apparatus as recited in claim 14, further comprising:
    - means for transmitting encrypted packets from the first network device to the second network device, based on the encryption state information.
  - 16. The apparatus as recited in claim 14, wherein the receiving means further functions to receive an input from a third network device configured as a hub router and as a next-hop server.
  - 17. The apparatus as recited in claim 14, wherein the security protocol comprises IPsec and wherein the issuing means issues a message to a security protocol module based on the IPsec security protocol.
  - 18. The apparatus as recited in claim 14, further comprising:
    - means for initiating a key exchange between the first and second network devices which generates pairwise encryption/decryption keys for the first and second network devices.
  - 19. The apparatus as recited in claim 18, further comprising:
    - means for storing a security association associated with the first and second network devices that include the pairwise encryption/decryption keys.
  - 20. The apparatus as recited in claim 14, wherein the virtual private network is configured as a point-to-multipoint virtual private network, and wherein the means for associating, receiving, issuing and generating perform functions that are based on the point-to-multipoint virtual private network.
  - 21. The apparatus as recited in claim 14, further comprising:
    - means for transmitting encrypted packets from the first network device to the second network device, based on the encryption state information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sullenberger, Michael L., Vilhuber, Jan
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PAN, JOSEPH T

Application Number

US10/247,695
Time in Patent Office

2,239 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 713/153, 380/200, 380/201, 380/255, 380/277, 176/2, 176/15
US Class Current

713/153
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/164 at the network layer

Method and apparatus for establishing a dynamic multipoint encrypted virtual private network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for establishing a dynamic multipoint encrypted virtual private network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links